FREE READ

Hello

Today, I will share with you how a Business logic allows me to block any User from creating account

The testing started with one of the programs, I decided to hunt there and started with some recon and subdomain enumeration.

Till the Subfinder finishes, I decided to hunt on the main target.com, and I started my Burp Suite and scrolled through the whole site. I tested a few vulnerabilities like SQLi, ATO. Still, I didn’t find anything, so I just went to the profile to check the if any vulnerability is there While checking the site I Found we can change the email so new email where the new email isn’t verify at that time so I put a random mail and tried to create an account with that new mail and exactly what you think I got error

Email already exists in the database

I decided to reset the password. If I can, I will reset the link, but here, since the mail is not verified, the link is not sent to the user even after several tries. So I decided to report this low-hanging Vulnerability and created a report to submit it, and after submitting it, I got the notification in just 2 hours.

It got a duplicate (2 days late) of the issue, which is triaged in status